Hi Folks,
Enabling all the SIEM detection rules will consume resource at agent end?
And also, is it a best practice to enable all the prebuilt SIEM detection rules?
Thanks in advance
Hi Folks,
Enabling all the SIEM detection rules will consume resource at agent end?
And also, is it a best practice to enable all the prebuilt SIEM detection rules?
Thanks in advance
Hi @aravindraja, thanks for using Elastic products and posting a question
Enabling all the SIEM detection rules will consume resource at agent end?
Enabling rules on its own doesn't affect Elastic Agent.
Rules are just one part of the protection. Besides that it requires to set up data ingestion to Elastic Security.
While exploring Elastic prebuilt rules you may notice related integrations specified. This is for informational purpose. Each specified integration should be installed before enabling rules. Custom rules may use data ingested via integrations as well. Installed integrations impact Elastic Agent operation.
And also, is it a best practice to enable all the prebuilt SIEM detection rules?
It depends on the situation you have.
Prebuilt Elastic rules are marked by tags and can logically be split in groups. For example AWS related rules or Windows rules. In case you don't have Linux machines and there is no data to analyze there is no point to enable Linux related rules.
Enabled rules are still scheduled to run in task manager and make requests to Elasticsearch. It means resource allocation. Just in case your setup is limited in resources (CPU, memory) it may impact useful rules.
Let me know if you have additional questions.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.